signed - check a proposed escalation program against a known signature
signed [-P pid] [-C config] [-f file] [-g group] [-R root] [-u user]
mnemonic program euid:egid cred_type:cred
This helmet is intended to force a review of new applications and their
supporting startup scripts. It does this by assessing the output from
a shell command applied to the proposed escalated program. The command
is assumed to run some checksum, hash, or other consistency check
against the program file. The escalation fails when any of these com-
mands exit(3)s non-zero, or the output of a command fails to produce
the expected output.
By recording a hash of the file in the op(1) configuration file we are
trying to detect unauthorized updates to either the application or its
start script. This assumes that the unauthorized updates do not
include access.cf, which would be a whole-sale subornation of our secu-
This program takes all the op provided options, but actually doesn't
look at any of them (other than -P, and the program path). It does
sanity check them, just the same.
Like any helmet, most of the configuration is passed from op via the
The shell command cmd is executed with the path to the proposed
file appended. The output must match the signature text with
the exception that leading a trailing white-space on each line
is ignored, and all internal white-space is changed to a single
The shell command cmd is executed with the proposed file open as
stdin. The output must match the signature text as above.
The warning message to replace the common "Sorry" denial mes-
The standard reveal logic, see op-jacket(7).
All of these are deleted from each cmd's environment: $IFS, $CDPATH,
$ENV, $BASH_ENV to prevent perl(1) from refusing to run any commands.
There is no way in this jacket to set them. Code an adapter script to
call the correct checksum application while installing the necessary
These are example from the command-line:
Output only the version of the program, then exit.
Output only a summary of the environment expected.
All of these are snips from the op access.cf file. Note that you must
allow any referenced environment variables into the escalated environ-
ment, and it is a really good idea to include a $PATH.
Check that the program is ls, and has the same text, data, and
bss segment sizes as it did when the admin last looked at it.
Any patch to the binary is quite likely to change at least one
What ever program is proposed must match the given CRC checksum
and file size.
Just check that the file exists, via stat(2). No other check is
To build the output for a program, just run it with a filter that com-
presses the white-space into quoted spaces for op on the end. Here is
an example filter:
tr -s ' \t' ' ' |sed -e 's/^ //' -e 's/ $//' -e 's/ /$./g'
Then copy each line into the configuration as an environment assignment
to the correct variable, separated with $. to represent line-breaks.
See the $SIGNED_CMD_size example above. Note that op also expands
"$\s" to a space, which is a little longer to spell than "$.". (How-
ever $. changes meanings in the command specification, we use it with
It might look like ls(1) would be an obvious choice to use, but the
date output format changes base on elapsed time. So use that with
This jacket trusts that the op configuration won't allow a malicious
shell command through the environment filter. Any configuration that
calls a helmet or jacket requires great care, but great power always
comes with great responsibility.
Sometimes a small script may be required to force options to the check
cmd. It would be clever to allow some character to stand-in for a
space, but it would also be a problem because we'd have to be able to
quote it as well. Just code an adapter script -- you can simplify the
output as well (to just a number or string).
K S Braunsdorf, from the Non-Player Character Guild
op at-not-a-spammer ksb dot npcguild.org.nopinks
op(1l), op-jacket(7l), stampctl(8l), getpeereid(3), hostname(1),
size(1), cksum(1), dgst(1), md5(1)